Home » Featured » Not Only Drugs: New Market Focuses On Code, 0Days & Exploits

Not Only Drugs: New Market Focuses On Code, 0Days & Exploits

We are happy to introduce yet another market – not only for drugs and digital items such as CC’s but a market designed specifically for the sale of Code, 0Days & Exploits, the market name is “TheRealDeal”.

And the market Url is: http://trdealmgn4uvm42g.onion  (listed in our list)

We have conducted a short interview with the market admin:

What can you tell us about yourself / your market?

Ok, basically we consist of 4 partners who have a lot of experience in infosec. We have a lot of experience dealing in the clearnet when it comes to 0day exploit code, databases and so on .. But the problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.

We started off by using BitWasp, fully aware of its history and flaws, but since we have years of hands-on experience in the security industry and not much in web-design we decided it would be a good platform since we can make our own security assessments and patches while the whole multi-sig seems to work perfect. We also wanted to avoid involving other people in the project for obvious reasons and that was another reason why not to hire a web designer etc… although we might hire one off the darknet soon, just to improve the UI a little.

On our market you can currently find 0day exploits, that have no cve and have never been disclosed before, 1day fud exploits – exploits that have been published but modified to be undetectable by any anti-virus, 1day private exploits – exploits that have known CVEs but code was never released for them and also Infomation such as databases and remote admin tools. One of our vendors who messes around with GSM a lot is also going to post a listing for some very interesting hardware soon.

And why not use the digital items section on one of the existing markets like Agora where such items are being sold anyway?

Never seen 0day exploit code on any of these markets. We actually tried selling such information and codes ourselves at some point but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards.

There are some IRC servers that are not easy to find or be invited to, where you can trade such items, but they are very hard to get to and we wanted to take a more ‘open-market’ approach

IRC servers on the darknet i mean..

Are offering Multisig transactions?

Yes, at this point in time we are offering only multisig transactions -We figured that you can’t start a market with zero reputation and expect people to just deposit into a live wallet they have absolutely no control of, that sort of idea sounds crazy to us. We are also offering FE for vendors who join and have good reputation on other markets by the way.

We heard few concerns about the usage of JS on your market, can you comment on that?

I understand that the people concerned about JavaScript are probably afraid of two things – One is cross site request forgery, where a link can be dropped via a message and once entered it will force the browser to take actions on another site (for example, as seen on other markets – “click” on release escrow on behalf of the user), we address this by using techniques that block cross site scripting completely.

I think the main concern regarding JS is to increase the attack surface against users by enabling JS exploits from the type we have seen on “freedom hosting”

The other concern people may have is exploitation .. but to be honest if the FBI has a zero day exploit that involves javascript, they will need to inject it into the site or send the user a message. The thing is that exploitation of web browsers is not limited to JavaScript .. they previously exploited a flaw that involves javascript but there are many exploits that can target a browser and heap spraying of the memory can be achieved even without javascript.

Besides that, we are currently working on moving everything that involves javascript to server side/php, but for now we are going to use javascript until the coding is complete and testing is over.

Will you be offering other products on the market or just code / 0days / expoits?

We recently added drugs due to the high demand, traditional for darknet markets, but we might consider removing this, we will have to see in the future. There is also a “services” category – anything can go there but we are hoping for some high quality blackhats to come forward and offer their services .. so anything from obtaining access to an email and getting a certain document and up to long term campaigns. Hardware category – for toys like fake cellular base stations and other physical ‘hacking’ tools. Information category for any kind of information, documents, databases, secret keys, etc.. We are also open to suggestions from our vendors :)

What is the vendor bond on the market?

We are currently offering free vendor accounts for 24 hours or so… we would love to see some new listings and inactive accounts will have to be removed after a certain period of time. After that the fee will start at somewhere around 0.2-0.5 BTC until the market is stable and earned the right to ask for more.

Anything else you want to add?

Well I think its worth mentioning again that we are not keeping any hot-wallets, all transactions are based on multi-sig and the user interface is quite easy. We require only 1 confirmation from the network and once the transaction is signed (just a click of a button) by both side – the escrow address releases the coins almost immediately.

I think people should bare in mind that JS bugs have been patched in recent releases of FireFox and exploits can target many parts of a browser even without JS. JS doesn’t expose people, Exploits do :)

When it comes to security, we are experts. I cannot say much, but I will tell you that a lot of changes have been made to the smarty lib, the core and randomness of keys. Currently, besides patching up what we found during our assessment, we are also at the final stages of configuring and deploying a WAF and IPS – This is something we are very good at. Our servers consist of full disk encryption and will be worthless in case of seizure, and all the hashing functions have been modified and hardened. You might think I said too much on this, but there are a lot more cards up our sleeves ;)

Thanks for the interview!

Thanks a lot for the opportunity !  And feel free to join and contact us at: http://trdealmgn4uvm42g.onion

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS


  1. I got the link to this on another market .. made a order for some greens today :) will let you know how it goes in a few days

  2. Eww the site requires JavaScript to run. fuck’em. It’s a site that does exploits and stuff.
    The last thing im doing is visiting the site with JS enabled.

  3. We are currently working very hard on the JS-Free version of our market.
    Should’nt be long now .. Besides, you only need to enable JS to create your key (one-off) and when you need to sign a transaction during the order proccess.

  4. First point, any serious darkmarket is delevoped in custom platform due obvious security.

    If these guys were “lot of experience in infosec” they developed their custom platform.

    Second point, yes javascript is one of the huge redflag in any hidden service because doens’t exist one way to exploit this, ARE HUNDREDS ways to exploit js to deanonymize TOR users. Again, if these guys were “lot of experience in infosec” NEVER they will start an illegal market before to patch it.

    Third point, multisig is not guarantee of trust. If admin control any vendor puppet account he can easily use their own private key + seller puppet key to scam easily.

    Fourty point, any person can claim to be a superhacker/superopsec, but without proof this person is just a dumbass speaking with fools.

    This market is bullshit until the moment, maybe in future they can proof something, by now are only promisses and nothing more than this. So, beware.

  5. HAXXOR,

    To address your first point, as mentioned in the interview – we are not web designers, just because we know how to debug and identify flaws while reading assembly it doesn’t mean we also know our way around css, even though it would be relatively easy to learn. The current code works and has been changed so much in the past few days that you could say it looks like bitwasp, and feels like bitwasp, but under the hood its not quite bitwasp any more.

    To address your second point I would ramble on about what it takes to exploit JS and what exploits are currently out there right now. But to be honest you named yourself HAXXOR :) I would like to remind you that we are building a NON-JS version as we speak.

    No body claimed to be a ‘superhacker’ as you put it, the only person who used the word HAXXOR is you :)

    You are entitled to your opinions of course even though they have not much of a basis, but I don’t think you are the ‘target demographic’ of our market anyway…even though you are registered…

    All the best,
    TheRealDeal Market

  6. More one point: “realdeal” admin doesn’t accept opinions as proved in deepdot forums. None vendor in their market is knowed vendor with huge historic in DW. Most possibily puppet accounts.

    Also he didn’t argue about multisig fraud to be easy to do with puppets accounts. And also he didn’t argue about why a “infosec specialist” like him put online an unfinalized market with “3 days of extensive code audit (LOL, 3 days)”

    Only fools will trust their senselles argues, that didn’t proof nothing in the “real deal” with bitcoins.

    Admin have time to do marketing with their “market” and have time to spam AGORA and other markets, but he doens’t have time to develop a custom platform instead to use unfinalized bugwasp.

    Again I will alert all users going to this new “market” using bugwasp beta for non production servers: BEWARE, you will lost your coins again trusting in noobs like this.

  7. all the 0days are bullshit ass public sploits

    • XOR – Can you show me code so we can move or removed the vendor ?
      Mostly curios about Android WebView and wpmu !

      Another Admin for TRD

  8. Sure we accept opinions. The people in the forum were all acting on behalf of ironclad – that market that just disappeared with all the coins a few days ago – yet another market using a hot wallet…

    In our case, the only way to get a hold of users coins would be to setup puppet vendor accounts and lure them into making deals – like you said, there is nothing to argue about.

    But if we were really aiming for an exit-scam we would force our users to use all server-side code and live wallets, wouldn’t we? Think.

    I’d like to say once again – you can throw any exploit or try to abuse any known bug related to BitWasp or anything else – nothing will work.
    We are ready to create a bug bounty program too with a ridicules amount of prize money.

    Our market is very much finalized. BitWasp out of the box – Isn’t.

    • Will your .onion contain free information as well? I believe adding this option will increase your .onion traffic.


      • Yes it will. We are working on a lot of things at the same time but this is something that will be added in the next update (a few hours from now)

        Thanks for the suggestion,
        TheRealDeal Market

  9. Javascript honeypot.

    • You know you can read all the js code in your browser right?
      Anyway, we are working on a JS-Free site, should be done soon.

  10. Hey,

    Setting up your payout address doesn’t seem to work, your FAQ page is 404 and do you have an email or some way of contacting you?

    • Hi PING,

      We fixed a minor bug in the payout address, should work fine now with all addresses.

      FAQ is due to an update, it should be back soon.
      In any case fee free to message user admin.

      Thanks for joining us,
      TheRealDeal Market

  11. Why not build a forum for user to disscuss.

    thank you

    • Give us a couple of hours :)
      Its in progress, we are just waiting on our server provider at this point.

      Hope to see you there!

  12. littleblackarnold

    I wonder about thisal ready. I signed to be a vendor for free as claimed in this article. After getting burned by Evo riunning off with all my money, I thought well isnt that nice cool. No one is hitting me with the fuck stick for once. When I’m signed up it won’t let me go active till I deposit .2 btc. It is supposed to be free for 24 hr, this article can’t be more than just a couple of hours old. I scoured the “Real deal” looking for someway to contact the owners,because the article says” register as a vendor and contact us.” Yeah right! WHACKY WHACKY There’s the fuck stick again. Can’t a little black man ever get a break?

  13. Two factor authentication window is blank when I log in

  14. TheRealDeal> Do You have any kind of references or You only to lie about everything ?
    You can be exadmins from EVO or LE so because of this We do not have trust to any new markets!

    • Yes you can find us all on linkedin :)

      We have vendor accounts on other markets (agora never gave us our bond back btw) .. what would you consider proof ?

      • Haha very funny scumbag!
        BitWasp required a multisig address to operate, but yours crap do not care it. This is nice proof of Your stupidity and even do You do not know what You are doing.
        I am pretty sure You are do not understood What I wrote because You are stupid and do not even to know how BitWasp working … How You could then modified the code without have a enough of knowledge that is very stupid and every of your argument looks like a lie now.

        Well done!

        • hmm, what?

          • I deeply know all bases of BitWasp and in simple sentence. You have badly edited BitWasp source code and You even do not know about it. Problems shows up in near future and You will not be able repair the because of your mental state. Please all be aware!

  15. I wonder how can some people be so rich to spend 30btc for an exploit? Bloody hell it’s 8thousand dollars :/

    • The people who spend that money usually profit a lot more from their ‘investment’. They either embed it into their exploit kit that they sell, resell the exploit itself, or use it for a specific target who hold something worth a lot more…like documents, information, keys… This “game” has changed quite a lot in the past decade, with many more actors out there, and as you know, today information is everything.

  16. WARNING!
    This is same team from Evolution.


    • We are certainly not. I would think that the Evo scum are sitting on a beach somewhere, or playing satoshi dice with thousands of bitcoins… Not opening a new market with no live wallet and profiting from tiny fees on a multisig escrow system.

  17. TRD, I am not going to write anything about your market itself, as I would definitely be subjective.

    Instead, I will rather have you explain to all these good people here why the fuck is that DOX guy selling doxxing services on a DNM, which just happens to be yours?…

    So much for the target audience, guys. All the DW was created in order to provide anonymity, privacy, and prevent the very thing on sale for 30-60$ on your market.

  18. I have a curiosity, though:

    How come a DNM allows selling of doxing services?… really, guys, I couldn’t believe my eyes when I saw that on your market.

    So much for the target audience… the very reasons for which the DW was born in the first place were providing privacy, anonymity, and preventing the very same things on sale on your market for 30-60$ to happen…

  19. Latest JS exploits are from the year 2014. Those are not the last ones. There will be new ones in the future, those new ones are called 0days. This site is selling 0days? And they tell you JS not vulnerable anymore? WFT ???

    • Nobody said its not vuln, but you must understand that there could be a favicon 0day exploit out there, or svg, or gif, fonts, you name it… Will markets stop using images tomorrow if there was?

      Anyway we are days away from launching the non-js market version, we hope this helps, and might just move everything there too.


  20. Quick question, though:

    Why do you allow people on your market to sell doxxing services? It kinda freaked me out, to be honest…

    There is no place on the deepweb allowing this kind of stuff, at least none that I know of.


  21. I want to believe, but I don’t see how your model can be successful, the value in exploits is in controlling the intellectual property, once you start selling to the general public they are no longer zero days! If you’re in infosec you know the security companies pay their researchers to search the darknet for new exploits/malware and reverse them…they call it “threat intelligence” the reason kits work is because there are alot of dumb asses out there. While I’d like to see a quality pro US hacker marketplace rise up to hack the shit out of the Russians and the Chinese, it just isn’t happening. The US is now a country full of deadbeats, burnouts, pedos, and fraudsters…and the FBI, DHS, SS, and NSA would rather fuckover their own citizens for their next promotion and a few extra $k/yr than take on the real enemy…because its easier and their sheep!

    This is a US law enforcement honeypot!

    • I think that most offers on the 0day category are for exclusive sale (1 buyer only).

      Researchers usually don’t care where the money comes from or what happens with their code. Selling zero day code is nothing new to the world – bare in mind not all researchers work for companies and these days its not easy for these kind of ‘freelancers’ to find the right buyers – they each usually have a small buyer base and usually that includes some companies too.

      Yes – they can always sell to ZDI for a ripoff price, but for the right audience a 0day in adobe flash could be worth 100K+ instead of 30k.

      I don’t see how you can call this a honeypot, US or otherwise…
      But thanks for your opinion,
      TRD Admins

  22. Why are doxing services being sold on your market?…


  23. You’re going to give out a prize for finding hacking vulnerabilities in your site?

    Dude, that’s not cool. Your shit should be hardened beforehand to protect your client’s info and money.

    Using bitwasp and javascript are not the way to go about doing that. I understand that you think its safe because you think you know what you’re doing, but EVERBODY knows what they are doing until the get jacked.

    The mere fact that you announced your framework was against every rule of opsec. Using javascript, if nothing else, exposes part of your operation to the public.

    If nothing else, it brings up questions about your marketing sense.


    • The point is – It is hardened. We are confident that the flaws in the current framework have been fully fixed and patched. The idea of a bug bounty was just a little tease – we get scanned and see the most ridiculous and also smart attempts every day.

      Within a few days we will be moving everything to a non-js version of the market, with a completely unique framework.

      Besides that, we use multisig, no hot wallets – there are no coins to steal! heck, one wouldn’t even be able to put their hands on our commissions…

      Our users privacy is our main concern, and we have modified almost every hashing and encryption function and algo so that even if there was that slightest possibility that someone found both the encrypted data and the keys – they would probably not know how to use them. Besides that it seems most of our users are using PGP anyway.

      There are many more things that I could tell you (well, maybe not) to assure you that we are not talking out of our arses here, we do know what we are doing.

      Thanks for your concerns,
      TheRealDeal Market

      • Why is it that you keep repeating the multi-Sig,no hot wallet aspect? By nature of your site most vendors will be unknown to the community. You could be 98% of the vendors and nobody would know. Also, it is annoying when you toss around the term multi-Sig since you and your 3 pals holding the third key is exactly opposite of the concept of decentralized escrow. I have no bones to pick with you – I just am annoyed as fuck by the fact that you either think we are all naive, or you are truly clueless (or LE after low hangers)

        • It has to be repeated since people think that the evo-scum are behind this, instead of retired.

          Yes we hold the 3rd key to the 2/3 signing process, but give us some time – our market has been online for less than 2 weeks. Hopefully we will see some of the more known vendors joining soon (and has a surprising amount of orders and registrations).

          Otherwise we will be looking into other 3rd party escrow systems soon..

  24. right!: selling old long-since-leaked public RATs for BTC, takes “real infosec experience”
    0days are hardly ever 0days, but scammers, as the article states.

    Another darkweb counterpart to 1337day, I suppose?

  25. Why wouldn’t doxxing be allowed? It’s a valuable service that’s in demand. It’s absence here wouldn’t change anything. Is it because it doesn’t fit with the hippy ideals of some tinfoil hat wearing nobodies in their mom’s basement? Yeah, no one cares about you and am sure the FBI already knows about you from that 4chan posts and other weird shit.

    Now if was removed because of 2-3 asshats commented here, that would make the guy running it a realloser like the rest of you. You guys are nothing but the peanut gallery. Your broke, stupid asses aren’t buying or selling anything and you know it.

  26. Hey,

    TheRealDeal team there are currently to major bugs

    #1 receive an error when registering.

    #2 when logging in the Two factor authentication window with pgp message is blank.

Leave a Reply

Your email address will not be published. Required fields are marked *


one + = 5

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" da